Information Security CIPFA IS Personal

Document Sample
Information Security CIPFA IS Personal Powered By Docstoc
					                            CIPFA: IS & Personal Responsibility

Information Security & Personal Responsibility

     30 September 2009 : Hardwick Hall
                                             CIPFA: IS & Personal Responsibility

     Sapphire Consultant – Vernon Poole

Recognised trainer in Information Security Management

CIPFA’s National IT Audit Panel Representative

Member of ISACA’s Security Management Committee

Head of Business Consultancy at Sapphire – totally
  independent Information Security Services Company
                                            CIPFA: IS & Personal Responsibility


•   What is Information Security & why council’s need to work towards best
    practice compliance (Government has just issued their SPF – Security
    Policy Framework mandating 77 controls)
•   What are the best practice guidelines & how you should respond to the
•   What are your responsibilities under a Personal IS Policy
                                             CIPFA: IS & Personal Responsibility

          What is Information Security?

Information Security addresses the confidentiality, integrity and
availability of information related assets*.

Information is an asset which, like other important business assets,
has value to an organisation and consequently needs to be suitably

   *Information related assets covers the council’s reputation,
   electronic, paper-based, hardware, software and physical assets

                  It’s not just I.T.
                                              CIPFA: IS & Personal Responsibility

   What is Information Security Management

Protecting information assets
Directing staff regarding information handling
Ability to demonstrate that robust controls are in place
Ensure compliance standards are met
Measurement of effectiveness/performance
                                    CIPFA: IS & Personal Responsibility

   Information Security Management

Level 1      Information Security

Level 2      Information Security

Level 3      Related Guidance
                                            CIPFA: IS & Personal Responsibility

             Why is it important to us?
All organisations are constantly at risk:
 • Systems unavailable
 • Lost information
 • Data corruption

Good security
 • Protects your information
 • Ensures business continuity
 • Gives confidence

Required response is to be proactive
 • Policy & processes that are practical
 • Achieve compliance to best practice
                                                   CIPFA: IS & Personal Responsibility

What is an Information Security Framework ?

             Industry Best                     Organisational         Legal &
               Practices                       Requirements          Regulatory
                                ISO 27001

                             Security Strategy & Policy

               Information                                        System
                Systems &                                         Dev. &
                 Network                                        Maintenance
                  Policies                                        Policies

                                Security Awareness
                                          CIPFA: IS & Personal Responsibility

      What IS Risks do you face?
•   Reputation
•   System failure
•   Lifestyle device misuse
•   Fraud
•   E-mail / internet misuse
•   Network attacks
•   Viruses/worms/spy-ware etc
•   Use of unlicensed software
•   Using pornographic material
•   Terrorist threat
•   Espionage
•   Spoofing / e-mail spam
•   Private work
•   Circulation of jokes or image files
                                   CIPFA: IS & Personal Responsibility

Some people cannot survive without their Lifestyle Devices
                                         CIPFA: IS & Personal Responsibility

              Service Impacts

Loss of Service
 • time loss for all staff
 • stress to recover (increased workload)

Damage to Reputation
 • possible bad press
 • threat to existing and new business

Confidentiality Breaches
 • subject to legal liability
   – ICO is now on a campaign of ‘naming/shaming’
                                             CIPFA: IS & Personal Responsibility

    What are the Information Security Standards?
ISO 27002 is the global best practice standard – covering 11 areas :-

1. IS Policy
2. Organising IS
3. Asset Management
4. Human Resources Security
5. Physical/Environmental Security
6. Communications & Operations Management
7. Access Control
8. Information Systems Acquisition & Development
9. IS Incident Management
10. Business Continuity Management
11. Compliance

ISO 27001 is the compliance process (adherence to best practice)
                                                   CIPFA: IS & Personal Responsibility

                  1. Information Security Policy

To protect information as well as staff

To ensure confidentiality, integrity & availability of information

Information is protected from misuse, unauthorised access,
inappropriate disclosure

CEO commitment
                                               CIPFA: IS & Personal Responsibility

                  Who does IS Policy apply to ?

  receive IS induction training
  abide by all IS Policies especially Personal IS Policy

Third Party organisations
  controlled access to facilities or information.

IT Suppliers
  ensure IS is taken into account for all systems and services.
                                        CIPFA: IS & Personal Responsibility

 2. Organising IS : Roles & Responsibilities
All Staff
 • Will receive IS induction training
 • Adhere to practical IS guidance
Human Resources
 • Include IS in induction process
 • Support staff during employment
 • Managing exits
ICT Services
 • Control access to systems
 • Ensure technical resilience (firewalls, etc).
Information Governance Manager/Internal Audit
 • Undertake internal audits
                                              CIPFA: IS & Personal Responsibility

        3. Asset Management : Accountability

Councils need to ensure that its intellectual property &
other sensitive or valuable information is controlled in
such a way to ensure that confidentiality, integrity &
availability is appropriately protected, particularly since
information is often shared internally as well as with

An inventory of all information assets has been drawn up
                                             CIPFA: IS & Personal Responsibility

     3. Asset Management : Classification

To ensure that information assets receive an appropriate
level of protection

Classification guidelines are based on the business need
for sharing or restricting information

Information labelling/handling is in accordance with the
appropriate classification
                                                          CIPFA: IS & Personal Responsibility

                       Classification Levels
   Level       Definition
     0         Where documents or other assets are of an informal nature, and their loss or
               misappropriation would not result in risk of:
Unclassified    Release of commercially sensitive data to third parties
                Significant financial loss to XXXX or clients
     1         Where an asset contains sensitive strategic and/or financial information belonging
               to XXXX, and its loss or misappropriation might result in:
Confidential    Release of client and 3rd party details / breach of statutory obligations
                Release of intellectual property to third parties
                Financial loss to XXXX or clients
                Degradation of operational activities
                Guarding against disclosing information for competitive advantage
     2         As for level 1 above but specifically covers client data in electronic or printed form.
               XXXX clients expect that additional security controls are afforded to these items
  Client -     whether it’s electronic data or a physical item. This classification level is vital for
Confidential   successful client retention in an increasingly competitive market.
    3          This Level applies where the business activities of XXXX or clients are dependent
               upon the availability of an asset, and its loss or misappropriation might result in:
 Business       Severe degradation or complete failure of operational systems
 Critical       Exposure of XXXX and clients to significant reputational risks
                Potential regulatory consequences
                                            CIPFA: IS & Personal Responsibility

           4. Human Resources Security

Life cycle management

Prior to Employment - screening

During Employment – training/disciplinary

On Termination or Change of Employment
   - access amendments/removal & asset recovery
                                               CIPFA: IS & Personal Responsibility

          5. Physical/Environmental Security

To ensure that robust measures are in place

To validate the strength of the physical security controls
   (entry control, perimeter controls etc):
    Secure areas – validate security in all premises
    Equipment security – validate maintenance &
    disposal arrangements

To educate staff to be diligent in adherence to these controls
                                         CIPFA: IS & Personal Responsibility

6. Communications & Operations Management:
       Electronic Perimeter Security
                   Perimeter – Firewall

                   Perimeter – McAfee

                    Email – Anti Virus

                     PC – Anti Virus

                 PC – Desktop Lockdown
                                               CIPFA: IS & Personal Responsibility

  7. Access Control: Home working risk assessment
What types of information will the user need access to ?

Does the user work from home on an ad-hoc basis or contracted basis?

Does the equipment used belong to the council?

Where is the workstation to be used (e.g. in shared accommodation,
separate office)?

Is there a need for information to be stored on the local hard disk?

What is the type of connection - dial-up or broadband?

Is there a wireless connection?
                                                       CIPFA: IS & Personal Responsibility

       7. Access Control: User Access Control


The purpose of this procedure is to ensure that user access privileges
to the council network facilities are controlled & managed


Type                Event                         Responsibility    Form
User Registration   New users                     HR                Standard Image

User Change         Changing a user’s access      Manager           E-mail to Service Desk
                    rights or required software
User Removal        When someone leaves           HR/Manager        E-mail to Service Desk
                                             CIPFA: IS & Personal Responsibility

8. Information Systems Acquisition, Dev & Maintenance
        - Systems Acceptance & Change Control
 To maintain the security of application system
 software & information

 New systems to be implemented in a controlled &
 managed way

 Change control procedures need to be strictly
 controlled to minimise possible corruption

 Restrictions on changes should be discouraged

 Technical reviews – by ICT Services
                                               CIPFA: IS & Personal Responsibility

           9. IS Incident Management

Council’s need an effective incident response process
  - to include timelines for recovery
  - to cover accidental & deliberate threats

Incident reporting is compiled from:
   - information collated from Helpdesk Reporting
   - individual incident report forms

A summary is reported to the ‘Information Governance’ Group
                                               CIPFA: IS & Personal Responsibility

    10. Business Continuity Management (BCM)

To ensure that the council has BCM arrangements to ensure that it can
recover its critical assets in the event of a major incident

A complete business continuity plan (BCP) is in place
(in line with BS25777 – IT Continuity Management) :

- BCP is regularly tested (quarterly)
- BCP is maintained and updated – in development
- BCP is internally reviewed or amended as a result of IS incident reporting
                                             CIPFA: IS & Personal Responsibility

           11. Compliance: Legal Issues

•   Legal Acts (Data Protection; Computer Misuse; Freedom of Information)
•   Due diligence
•   Libel
•   Unlicensed software
•   Breach of confidence
•   Harassment & Discrimination
•   Negligent statements
•   Inadvertent formation of contracts
•   Publication of obscene material
                                               CIPFA: IS & Personal Responsibility

          11. Compliance : Management Review

To ensure ongoing compliance of systems with IS
Policies & Procedures

Compliance with Security Policy
Managers shall ensure that all procedures within their
areas of responsibilities are subject to regular review

Technical Compliance
Responsibility of Information Governance Manager
                                            CIPFA: IS & Personal Responsibility

    Policy Guidance ( IS Policy & Personal IS Policy )

What’s Covered
• responsibilities
• monitoring
• privacy
• personal use of ICT equipment/systems
• misuse of systems
• use of e-mail
• use of the internet
• good practice guidance

Who/what does it apply to:
All staff & ICT equipment/systems

You must sign & confirm that you have read & understood the policy
                                          CIPFA: IS & Personal Responsibility

          Use of ICT : Responsibilities
  use systems & access information appropriately
  safeguard equipment from misuse
  observe legal requirements
  safeguard passwords
  must not compromise security

 ensure staff awareness
 report inappropriate use
 assess training requirements
                                                CIPFA: IS & Personal Responsibility

                Use of ICT: Monitoring

Councils should monitor email & Internet use to reduce
the risk of any event that may compromise the integrity
& availability of its systems/equipment.

Monitoring consists of automated filtering e.g. to protect
users from inappropriate incoming e-mails/files &
accidentally accessing inappropriate websites.
                                            CIPFA: IS & Personal Responsibility

           Use of ICT: Privacy & personal use

As ICT systems are monitored, personal privacy &
confidentiality cannot be assumed.

Systems/equipment & e-mails may be accessed by
management during an individual’s unexpected or
planned absence from work when certain emails
have to be checked regularly and an ‘out of office’
statement is inappropriate.

User should exercise good judgement regarding
reasonable usage
                                             CIPFA: IS & Personal Responsibility

                 Use of ICT: Misuse of systems

Where employees make inappropriate or excessive
personal use of ICT systems or where there is
persistent or serious misuse, disciplinary action may
take place, which might result in dismissal.

Access to ICT equipment/systems may be suspended
without warning pending investigations of suspected
misuse and may be removed altogether if misuse of
the ICT equipment/systems policy is found.
                                              CIPFA: IS & Personal Responsibility

          Use of ICT: Misuse of systems types

Excessive private use of e-mail & the internet
Forwarding chain e-mails & jokes
Entering contracts without authority
Access/use of personal e-mail accounts, social/society sites
Changing equipment configuration without authorisation
Unauthorised downloads
Attaching non council devices
Password sharing
Installing unauthorised programs
                                              CIPFA: IS & Personal Responsibility

                  Use of ICT: Use of e-mail

It is important that users understand that:

1. e-mails have the same legal status as written documents

2. external e-mail messages should have the appropriate signature files
   & disclaimers

3. suspicious e-mail attachments or URL links from unknown senders
   must not be opened or forwarded to others

4. confidential or sensitive information should not be sent to a council
   e-mail address unless it is sent as an encrypted attachment.
                                              CIPFA: IS & Personal Responsibility

               Use of ICT: Use of Internet

It is important that users understand that:

1. you should not attempt to access illicit web sites e.g. containing
   pornography, racist or sexist material, violent images, terrorism or
   criminal activities
2. Customer Services are informed immediately if they accidentally
   access an illicit site on the web
3. home users with council equipment must only connect to personal
   home Internet links if specifically authorised
4. you avoid ‘inadvertently download software or programs’ from the
   internet without specific authorisation
                                             CIPFA: IS & Personal Responsibility

                         Top 10 Tips

1.  Protect the sensitive information you have access to
2.  Adhere to password guidelines
3.  Spot patterns, trends or risks & report appropriately
4.  Challenge or inform someone if a stranger is spotted
    within the office
5. Dispose of sensitive/classified documentation correctly
6. Lock personal items away
7. Adhere to individual policies
8. Ensure any papers are removed from the
    photocopier/printer/fax machine
9. Ensure adherence to the Personal IS Policy
10. Respect that your Council takes security seriously
                                  CIPFA: IS & Personal Responsibility


Information Security is everyone’s responsibility
                                        CIPFA: IS & Personal Responsibility

        FORENSICS                            BUSINESS CONSULTANCY
Computer Forensics                         ISO27001
Data Recovery                              ISO27002
Forensic Email Archiving                   ISO27006
Forensic Training                          ISO27030
                                           Information Governance

                           Thank you
                Vernon Poole –
Content Security                           Penetration Testing
Policy Compliance                          Vulnerability Assessments
Application Firewalls                      Strategic Support Agreements
End Point Security                         Security Audits
High Availability
Remote Access SSL VPN
Strong Authentication